ID: 156160 Sample Name: Setup.exe Cookbook: default.jbs Time: 04:51:37 Date: 25/07/2019 Version: 26.0.0 Aquamarine Table of Contents
Table of Contents 2 Analysis Report Setup.exe 4 Overview 4 General Information 4 Detection 4 Confidence 5 Classification 5 Analysis Advice 5 Mitre Att&ck Matrix 6 Signature Overview 6 AV Detection: 6 Networking: 6 System Summary: 6 Data Obfuscation: 7 Persistence and Installation Behavior: 7 Hooking and other Techniques for Hiding and Protection: 7 Malware Analysis System Evasion: 7 Anti Debugging: 7 Language, Device and Operating System Detection: 7 Lowering of HIPS / PFW / Operating System Security Settings: 8 Behavior Graph 8 Simulations 8 Behavior and APIs 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 9 Domains 9 URLs 9 Yara Overview 9 Initial Sample 9 PCAP (Network Traffic) 9 Dropped Files 9 Memory Dumps 9 Unpacked PEs 9 Joe Sandbox View / Context 9 IPs 9 Domains 9 ASN 9 JA3 Fingerprints 9 Dropped Files 9 Screenshots 10 Thumbnails 10 Startup 10 Created / dropped Files 11 Domains and IPs 12 Contacted Domains 12 URLs from Memory and Binaries 12 Contacted IPs 12 Static File Info 12 General 12 File Icon 13 Static PE Info 13 General 13 Authenticode Signature 13 Entrypoint Preview 13 Rich Headers 15 Data Directories 15 Sections 15
Copyright Joe Security LLC 2019 Page 2 of 74 Resources 15 Imports 15 Version Infos 16 Possible Origin 16 Network Behavior 17 Code Manipulations 17 Statistics 17 Behavior 17 System Behavior 17 Analysis Process: Setup.exe PID: 2612 Parent PID: 4808 17 General 17 File Activities 17 File Read 17 Analysis Process: Setup.exe PID: 4520 Parent PID: 2612 18 General 18 File Activities 18 File Created 18 File Written 26 File Read 71 Registry Activities 72 Key Created 72 Key Value Created 72 Disassembly 74 Code Analysis 74
Copyright Joe Security LLC 2019 Page 3 of 74 Analysis Report Setup.exe
Overview
General Information
Joe Sandbox Version: 26.0.0 Aquamarine Analysis ID: 156160 Start date: 25.07.2019 Start time: 04:51:37 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 4m 46s Hypervisor based Inspection enabled: false Report type: light Sample file name: Setup.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 10 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies: HCA enabled EGA enabled HDC enabled AMSI enabled Analysis stop reason: Timeout Detection: SUS Classification: sus39.evad.winEXE@3/4@0/0 EGA Information: Failed HDC Information: Failed HCA Information: Failed Cookbook Comments: Adjust boot time Enable AMSI Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, sc.exe, dllhost.exe, WMIADAP.exe, conhost.exe, CompatTelRunner.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtSetInformationFile calls found.
Detection
Strategy Score Range Reporting Whitelisted Detection
Threshold 39 0 - 100 false
Copyright Joe Security LLC 2019 Page 4 of 74 Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 2 0 - 5 true
Classification
Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Copyright Joe Security LLC 2019 Page 5 of 74 Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Port Monitors Software Credential Query Registry 1 Application Data from Local Data Data Remote Helper DLL Packing 1 Dumping Deployment System Compressed Obfuscation Management Software Replication Service Port Monitors Accessibility DLL Side- Network Process Remote Data from Exfiltration Over Fallback Through Execution Features Loading 1 Sniffing Discovery 1 Services Removable Other Network Channels Removable Media Medium Media Drive-by Windows Accessibility Path Rootkit Input Capture Application Windows Data from Automated Custom Compromise Management Features Interception Window Remote Network Exfiltration Cryptographic Instrumentation Discovery 1 Management Shared Drive Protocol Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials Security Software Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Discovery 1 2 1 Communication Application Information Spearphishing Command-Line Shortcut File System Masquerading Account System Shared Data Staged Scheduled Standard Link Interface Modification Permissions Manipulation Information Webroot Transfer Cryptographic Weakness Discovery 1 1 Protocol
Signature Overview
• AV Detection • Networking • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • Language, Device and Operating System Detection • Lowering of HIPS / PFW / Operating System Security Settings
Click to jump to signature section
AV Detection:
Antivirus or Machine Learning detection for dropped file
Antivirus or Machine Learning detection for unpacked file
Networking:
Found strings which match to known social media urls
Urls found in memory or binary data
System Summary:
Creates mutexes
PE file contains strange resources
Copyright Joe Security LLC 2019 Page 6 of 74 Sample reads its own file content
Tries to load missing DLLs
Classification label
Creates temporary files
PE file has an executable .text section and no other executable section
Parts of this applications are using the .NET runtime (Probably coded in C#)
Reads software policies
Sample might require command line arguments
Spawns processes
Uses an in-process (OLE) Automation server
Found graphical window changes (likely an installer)
Uses Microsoft Silverlight
Checks if Microsoft Office is installed
PE file has a valid certificate
Submission file is bigger than most known malware samples
PE file contains a mix of data directories often seen in goodware
Contains modern PE file flags such as dynamic base (ASLR) or NX
PE file contains a debug data directory
Binary contains paths to debug symbols
PE file contains a valid data directory to section mapping
Data Obfuscation:
PE file contains an invalid checksum
PE file contains sections with non-standard names
Persistence and Installation Behavior:
Drops PE files
Creates install or setup log file
Hooking and other Techniques for Hiding and Protection:
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)
Queries a list of all running processes
Anti Debugging:
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Enables debug privileges
Language, Device and Operating System Detection:
Queries the volume information (name, serial number etc) of a device
Queries the cryptographic machine GUID
Copyright Joe Security LLC 2019 Page 7 of 74 Lowering of HIPS / PFW / Operating System Security Settings:
AV process strings found (often used to terminate AV products)
Behavior Graph
Hide Legend Behavior Graph Legend: ID: 156160 Process
Sample: Setup.exe Signature Startdate: 25/07/2019 Created File Architecture: WINDOWS DNS/IP Info Score: 39 Is Dropped
Is Windows Process
Number of created Registry Values Tries to detect sandboxes Antivirus or Machine Number of created Files and other dynamic analysis Learning detection for started tools (process name dropped file Visual Basic or module or function) Delphi
Java
.Net C# or VB.NET Setup.exe C, C++ or other language
Is malicious
Internet
started
Setup.exe
38 138
dropped
C:\Users\user\AppData\Local\...\mbahost.dll, PE32
Simulations
Behavior and APIs
Time Type Description 04:52:38 API Interceptor 3x Sleep call for process: Setup.exe modified
Antivirus and Machine Learning Detection
Initial Sample
Source Detection Scanner Label Link Setup.exe 0% virustotal Browse
Dropped Files
Source Detection Scanner Label Link C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll 100% Avira WORM/Lodbak.Gen C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll 100% Joe Sandbox ML Copyright Joe Security LLC 2019 Page 8 of 74 Unpacked PE Files
Source Detection Scanner Label Link Download 2.1.Setup.exe.b50000.0.unpack 100% Joe Sandbox ML Download File 0.1.Setup.exe.b50000.0.unpack 100% Joe Sandbox ML Download File
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link downloadcenter.commvault.com__cv__%s%s1.1.3__gda__%s%s%c%s=%lu_%s 0% Avira URL Cloud safe
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
No yara matches
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Copyright Joe Security LLC 2019 Page 9 of 74 Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
System is w10x64 Setup.exe (PID: 2612 cmdline: 'C:\Users\user\Desktop\Setup.exe' MD5: 9C58BAC65013AF9DB388BCDD3CCA831E) Setup.exe (PID: 4520 cmdline: 'C:\Users\user\Desktop\Setup.exe' -burn.unelevated BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} {31AC7A97-3AA5-40B9-99E2- 217A539112EA} 2612 MD5: 9C58BAC65013AF9DB388BCDD3CCA831E) cleanup
Copyright Joe Security LLC 2019 Page 10 of 74 Created / dropped Files
C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53-08\Install.log Process: C:\Users\user\Desktop\Setup.exe File Type: UTF-8 Unicode (with BOM) text, with CRLF line terminators Size (bytes): 583 Entropy (8bit): 4.61397655631052 Encrypted: false MD5: 0F6CD71BD425B8FE648F6C42ADA94DA6 SHA1: DF5136C33482855A3929DF5D18D0EC62EC7A24A4 SHA-256: E9FF763C23183821D082A52DFE1A4A5DFD52F9B1E56F0418D2B198E2B7995092 SHA-512: 7DD89BD5F82CA331D3337AE8E2274E78E2A8A3E849F99784FB57B4FC9843E45C49C3B58411BF48525911482E0B992A2983E36BD0C3F0142F464A77DC3EDA44C0 Malicious: false Reputation: low Preview: .*******************************************************************.. Machine .: 302494.. Module .: Install.log.. Commserver .: .. Product Version.: 11.80.140.0.. OS Version .: Microsoft Windows NT 6.3.9600.0.. Date .: 7/25/2019..*******************************************************************..4520 4 07/25 04:53:09 ### ManagedLogger::SetCLRThreadPoolMaxThreads - CLR ThreadPool's max threads is already set by another thread in the process. maxWorkerThreads = [1000], maxIOThreads = [1000], PID = [4520], ProcessName = [Setup]...
C:\ProgramData\Commvault Systems\Galaxy\LogFiles\Install.log Process: C:\Users\user\Desktop\Setup.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 2285 Entropy (8bit): 4.798815237914724 Encrypted: false MD5: 22CB4474370603D4C027387F68A71DF9 SHA1: B392F143255730D39194E58D2AAA929364407846 SHA-256: B0A2AFD809F3C9BC21720EFA258E54700F63DA6C294A898413BC6CB42C1BE84C SHA-512: E19306CC276AE312563FCD1F8CE2ADF707B57074A90BE6B59A7438A527FCA8801A7288A76E305ADC550BA373BD5CAF55AFA27FDEE79337AC6AE8084649829CE 7 Malicious: false Reputation: low Preview: 07/25/2019 04:53:08.Culture name is identified as: en-US..07/25/2019 04:53:08.Application Culture is set to en-US..07/25/2019 04:53:08.Loading the ResourceFile InstallCommon.Resources.InstallLocale.resources..07/25/2019 04:53:08.The setup is launched by user-PC\user with Administrator privilege..4520 4 07/25 04:53:09 ### ### ### - Instance log path: C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53-08..4520 4 07/25 04:53:09 ### ### ### - ############ ##############################################################..4520 4 07/25 04:53:09 ### ### ### - ## Installation STARTED ##..4520 4 07/25 04:53:09 ### ### ### - ##########################################################################..4520 4 07/25 04:53:09 ### ### ### - BinaryInfo file is not present at [C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\BinaryInfo.xml] ..4520 4 07/25 04: 53:09 ### ### ### - Command
C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_20190725045308.log Process: C:\Users\user\Desktop\Setup.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 1149 Entropy (8bit): 5.399738557221108 Encrypted: false MD5: 8AA365DB67B66FD84765473D6D6EBE64 SHA1: E47E1CCF4A0C0DA4E20F762CF11F70E5E52C26CD SHA-256: CB19C357E9A12DFD1B78ACB8166091592DB932C8CA6A40F5746AB60224EEFB83 SHA-512: A613C092A1BC0F30673B1729D944BB04492ABF27AA4F41DC79E2746592DFD2E0D3C47393D5A206A4338E9301D83207DC7D67E23D75DA9C74D3EE7C1C8A6CD8B 2 Malicious: false Reputation: low Preview: [11A8:09C8][2019-07-25T04:52:51]i001: Burn v3.8.1128.0, Windows v6.3 (Build 9600: Service Pack 0), path: C:\Users\user\Desktop\Setup.exe, cmdline: '-burn.unelev ated BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} {31AC7A97-3AA5-40B9-99E2-217A539112EA} 2612'..[11A8:09C8][2019-07-25T04:52:51]i000: Initializing string variable 'CommvaultPackage_InstallCondition' to value 'yes'..[11A8:09C8][2019-07-25T04:52:51]i000: Initializing string variable 'InstallSQLEnterprise' to value 'yes'.. [11A8:09C8][2019-07-25T04:53:08]i000: Setting string variable 'WixBundleLog' to value 'C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_2019072504530 8.log'..[11A8:09C8][2019-07-25T04:53:08]i000: Setting string variable 'WixBundleOriginalSource' to value 'C:\Users\user\Desktop\Setup.exe'..[11A8:09C8][2019-07- 25T04:53:08]i000: Setting string variable 'WixBundleName' to value 'Commvault ContentStore'..[11A8:09C8][2019-07-25T04:53:08]i000: Loading managed bootstrapper application...[11A8:09C8][2019-07-25T
C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll
Process: C:\Users\user\Desktop\Setup.exe File Type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows Size (bytes): 44201937 Entropy (8bit): 6.601345640152776 Encrypted: false MD5: 8495F4C95F6619775915ADED8D08431E SHA1: C7E52F3D73A3E2F3E4626D55F5E437A3C8BA5274 SHA-256: 9705DB6801D4363BAF1C639FDAA89DC5C5494BF9767F4D8113FB3B996D7EDBFB Copyright Joe Security LLC 2019 Page 11 of 74 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29f5953d68e8}\.ba1\mbahost.dll
SHA-512: B3E2BE19C8DE6941207B76FFA8E26BBFE152C5C28092E33AF8D38E734CFC300D7187BAD4E1CE4C3767C3D659D9285FE12EDAB3D711F58DCD20F8F73C620B63 7B Malicious: true Antivirus: Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Reputation: low Preview: MZ...... @...... !..L.!This program cannot be run in DOS mode....$...... 4.q.p...p...p....O.i....O.|....O.....y.....p...... N.}....N.q....N.q...p...q....N .q...Richp...... PE..L....O.R...... !...... 5...... @...... t...d....P...... `..,...... 8...... @...... p...... text...... `.rdata...S...... T...... @[email protected]....,...... @....rsrc...... P...... @[email protected]...... `...... @..B......
Domains and IPs
Contacted Domains
No contacted domains info
URLs from Memory and Binaries
Name Source Malicious Antivirus Detection Reputation www.codeplex.com/prism mbahost.dll.2.dr false high aia.entrust.net/ovcs1-chain256.cer01 mbahost.dll.2.dr false high mbahost.dll.2.dr false Avira URL Cloud: safe low downloadcenter.commvault.com__cv__%s%s1.1.3__gda__% s%s%c%s=%lu_%s www.codeplex.com/CompositeWPF mbahost.dll.2.dr false high crl.entrust.net/g2ca.crl0; mbahost.dll.2.dr false high ocsp.entrust.net05 mbahost.dll.2.dr false high compositewpf.codeplex.com/ mbahost.dll.2.dr false high ocsp.entrust.net02 mbahost.dll.2.dr false high crl.entrust.net/ovcs1.crl0A mbahost.dll.2.dr false high www.apps.ietf.org/rfc/rfc3447.html#sec-9.2 mbahost.dll.2.dr false high ocsp.entrust.net00 mbahost.dll.2.dr false high crl.entrust.net/2048ca.crl0; mbahost.dll.2.dr false high www.entrust.net/rpa0 mbahost.dll.2.dr false high ocsp.entrust.net0A mbahost.dll.2.dr false high crl.entrust.net/level1d.crl03 mbahost.dll.2.dr false high mbahost.dll.2.dr false high www.codeplex.com/prism#Microsoft.Practices.Prism.ViewMod el www.openssl.org/support/faq.html mbahost.dll.2.dr false high
Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.996384689391448 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Setup.exe File size: 17839920
Copyright Joe Security LLC 2019 Page 12 of 74 General MD5: 9c58bac65013af9db388bcdd3cca831e SHA1: f4c63086d073334ab258b85cb853e5fbf45f2922 SHA256: 89e4fa2a77fabd996d0b06389f436a0fd550005eccc0b1c 37edd00ff8858e5b4 SHA512: dc0cd49bb1be3f96e5e8917bacc7b6f9c3c2c6064137509 5f1f0b0d737fff2b28380763e6fdc13986f15769b8cfd54be 42e2a4bc4ac0f725f7e3c2bb0e3851d1 SSDEEP: 393216:31ODbFhQ+VG+42svcpuLcphElAmx8jrsQXQAj a2dhYBPkD:3CDQv+vr6cpClnysQXQmdhgPkD File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... U..e... e...e.d1....e.d1....e.d1....e...... e...... e...d...e.70....e.70.... e...... e.70....e.Rich..e...... PE..L..
File Icon
Icon Hash: 0c96162f25650523
Static PE Info
General Entrypoint: 0x4267a5 Entrypoint Section: .text Digitally signed: true Imagebase: 0x400000 Subsystem: windows gui Image File Characteristics: 32BIT_MACHINE, EXECUTABLE_IMAGE DLL Characteristics: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT Time Stamp: 0x52974FC4 [Thu Nov 28 14:14:28 2013 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 1 File Version Major: 5 File Version Minor: 1 Subsystem Version Major: 5 Subsystem Version Minor: 1 Import Hash: 67715e556e3a78ea78c756db800102a3
Authenticode Signature
Signature Valid: true Signature Issuer: CN=Entrust Code Signing CA - OVCS1, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 10/30/2018 9:32:20 AM 12/5/2021 9:02:18 AM Subject Chain CN="Commvault Systems, Inc.", O="Commvault Systems, Inc.", L=Tinton Falls, S=New Jersey, C=US Version: 3 Thumbprint MD5: 554F7FF4080A39E8A9A23D446BDC0E5A Thumbprint SHA-1: 26E375FB12C2EACFA8CAEAC9FB86E7E11F9B8899 Thumbprint SHA-256: B60D4202913F26865F0B19BCA44B71F8B715EA36A7DB8313A6BB3573A2F8050A Serial: 00FC9CA28316F9B55800000000556679D0
Entrypoint Preview
Instruction call 00007FDB786CE68Eh jmp 00007FDB786CAB44h cmp ecx, dword ptr [004560D0h] jne 00007FDB786CACC4h rep ret jmp 00007FDB786CED89h
Copyright Joe Security LLC 2019 Page 13 of 74 Instruction int3 int3 mov edx, dword ptr [esp+0Ch] mov ecx, dword ptr [esp+04h] test edx, edx je 00007FDB786CAD41h movzx eax, byte ptr [esp+08h] bt dword ptr [00457C44h], 01h jnc 00007FDB786CACCFh mov ecx, dword ptr [esp+0Ch] push edi mov edi, dword ptr [esp+08h] rep stosb jmp 00007FDB786CAD1Fh mov edx, dword ptr [esp+0Ch] cmp edx, 00000080h jl 00007FDB786CACD0h bt dword ptr [00456180h], 01h jc 00007FDB786CEE3Fh push edi mov edi, ecx cmp edx, 04h jc 00007FDB786CACF3h neg ecx and ecx, 03h je 00007FDB786CACCEh sub edx, ecx mov byte ptr [edi], al add edi, 01h sub ecx, 01h jne 00007FDB786CACB8h mov ecx, eax shl eax, 08h add eax, ecx mov ecx, eax shl eax, 10h add eax, ecx mov ecx, edx and edx, 03h shr ecx, 02h je 00007FDB786CACC8h rep stosd test edx, edx je 00007FDB786CACCCh mov byte ptr [edi], al add edi, 01h sub edx, 01h jne 00007FDB786CACB8h mov eax, dword ptr [esp+08h] pop edi ret mov eax, dword ptr [esp+04h] ret push edi push esi mov esi, dword ptr [esp+10h] mov ecx, dword ptr [esp+14h] mov edi, dword ptr [esp+0Ch] mov eax, ecx mov edx, ecx add eax, esi cmp edi, esi jbe 00007FDB786CACCAh cmp edi, eax
Copyright Joe Security LLC 2019 Page 14 of 74 Instruction jc 00007FDB786CAD2Eh
Rich Headers
Programming Language: [RES] VS2012 UPD1 build 51106 [C++] VS2012 UPD1 build 51106 [ C ] VS2008 SP1 build 30729 [IMP] VS2008 SP1 build 30729 [LNK] VS2012 UPD1 build 51106
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x54364 0x12c .rdata IMAGE_DIRECTORY_ENTRY_RESOURCE 0x5c000 0xa3f8 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0x1101d80 0x19b0 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x67000 0x3660 .reloc IMAGE_DIRECTORY_ENTRY_DEBUG 0x3b4f0 0x38 .rdata IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x53cd0 0x18 .rdata IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x53c88 0x40 .rdata IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x3b000 0x474 .rdata IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x1000 0x395c4 0x39600 False 0.534764773965 data 6.54250074121 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .rdata 0x3b000 0x1ac6e 0x1ae00 False 0.293968023256 data 4.98279190668 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .data 0x56000 0x3074 0x1000 False 0.220947265625 data 2.65734870488 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .wixburn 0x5a000 0x38 0x200 False 0.09765625 data 0.535453628939 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .tls 0x5b000 0x9 0x200 False 0.02734375 data 0.0 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x5c000 0xa3f8 0xa400 False 0.59844226372 data 6.69317084905 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ .reloc 0x67000 0x48e2 0x4a00 False 0.59375 data 5.6854252554 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_DISCARDABL E, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country PNG 0x5c258 0x31a1 PNG image data, 256 x 256, 8-bit/color RGBA, non- English United States interlaced RT_ICON 0x5f3fc 0x2668 data English United States RT_ICON 0x61a64 0x1128 data English United States RT_ICON 0x62b8c 0x9b8 data English United States RT_ICON 0x63544 0x468 GLS_BINARY_LSB_FIRST English United States RT_MESSAGETABLE 0x639ac 0x21d4 data English United States RT_GROUP_ICON 0x65b80 0x4c data English United States RT_VERSION 0x65bcc 0x314 data English United States RT_MANIFEST 0x65ee0 0x518 ASCII text, with CRLF line terminators English United States
Imports
DLL Import
Copyright Joe Security LLC 2019 Page 15 of 74 DLL Import ADVAPI32.dll OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, InitiateSystemShutdownExW, GetUserNameW, RegCloseKey, RegQueryValueExW, RegDeleteValueW, ConvertStringSecurityDescriptorToSecurityDescriptorW, DecryptFileW, CreateWellKnownSid, InitializeAcl, SetEntriesInAclW, ChangeServiceConfigW, CloseServiceHandle, OpenSCManagerW, OpenServiceW, QueryServiceStatus, CryptDestroyHash, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, SetNamedSecurityInfoW, CheckTokenMembership, AllocateAndInitializeSid, SetEntriesInAclA, SetSecurityDescriptorGroup, SetSecurityDescriptorOwner, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, RegSetValueExW, RegQueryInfoKeyW, RegEnumValueW, RegEnumKeyExW, RegDeleteKeyW, RegCreateKeyExW, GetTokenInformation, RegOpenKeyExW, QueryServiceConfigW USER32.dll GetMessageW, PeekMessageW, PostMessageW, SetWindowLongW, PostQuitMessage, DispatchMessageW, DefWindowProcW, RegisterClassW, UnregisterClassW, CreateWindowExW, LoadCursorW, MessageBoxW, LoadBitmapW, TranslateMessage, GetWindowLongW, IsWindow, MsgWaitForMultipleObjects, WaitForInputIdle, PostThreadMessageW, GetMonitorInfoW, MonitorFromPoint, IsDialogMessageW, GetCursorPos OLEAUT32.dll SysFreeString, SysAllocString, VariantInit, VariantClear GDI32.dll GetObjectW, StretchBlt, SelectObject, DeleteObject, CreateCompatibleDC, DeleteDC SHELL32.dll ShellExecuteExW, SHGetFolderPathW, CommandLineToArgvW ole32.dll CoTaskMemFree, CoInitializeSecurity, CLSIDFromProgID, CoCreateInstance, StringFromGUID2, CoInitialize, CoInitializeEx, CoUninitialize KERNEL32.dll GetVersionExW, CompareStringW, VerSetConditionMask, FreeLibrary, GetProcAddress, EnterCriticalSection, LeaveCriticalSection, GetSystemTime, lstrlenW, GetModuleHandleExW, GetSystemDirectoryW, GetTempPathW, GetWindowsDirectoryW, GetSystemWow64DirectoryW, GetComputerNameW, VerifyVersionInfoW, GetVolumePathNameW, GetDateFormatW, GetSystemDefaultLangID, GetUserDefaultLangID, GetStringTypeW, ExpandEnvironmentStringsW, GetFileAttributesW, ReadFile, SetFilePointerEx, CreateFileW, InterlockedExchange, InterlockedCompareExchange, LoadLibraryW, lstrlenA, RemoveDirectoryW, CreateEventW, OutputDebugStringW, ProcessIdToSessionId, OpenProcess, GetProcessId, WaitForSingleObject, WriteFile, ConnectNamedPipe, SetNamedPipeHandleState, CreateNamedPipeW, CreateThread, GetExitCodeThread, FindClose, SetFileAttributesW, FindFirstFileW, FindNextFileW, GetModuleHandleW, WaitForMultipleObjects, InterlockedIncrement, InterlockedDecrement, DuplicateHandle, CreateProcessW, SetCurrentDirectoryW, GetCurrentDirectoryW, GetExitCodeProcess, SetThreadExecutionState, CopyFileExW, ResetEvent, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, CreateFileA, CompareStringA, MapViewOfFile, UnmapViewOfFile, CreateMutexW, CreateFileMappingW, VirtualAlloc, VirtualFree, GetSystemTimeAsFileTime, DeleteFileW, GetThreadLocale, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CloseHandle, Sleep, ReleaseMutex, DeleteCriticalSection, InitializeCriticalSection, GetLastError, GetTimeZoneInformation, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, HeapFree, RaiseException, HeapAlloc, IsProcessorFeaturePresent, IsDebuggerPresent, TerminateProcess, SystemTimeToTzSpecificLocalTime, SystemTimeToFileTime, MoveFileExW, CopyFileW, RtlUnwind, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, GetCurrentThreadId, GetCurrentProcess, LocalFree, HeapSetInformation, LoadLibraryExW, SetEvent, HeapReAlloc, HeapSize, LCMapStringW, SetStdHandle, WriteConsoleW, FlushFileBuffers, SetFilePointer, GetLocalTime, FormatMessageW, GetTempFileNameW, CreateDirectoryW, GetFullPathNameW, GetModuleHandleA, GlobalAlloc, GetCurrentProcessId, SetUnhandledExceptionFilter, UnhandledExceptionFilter, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetStartupInfoW, InitializeCriticalSectionAndSpinCount, GetFileType, GetProcessHeap, GetModuleFileNameW, GetStdHandle, GetFileSizeEx, MultiByteToWideChar, ExitProcess, DecodePointer, GetCommandLineW, SetLastError, EncodePointer, GlobalFree Cabinet.dll CRYPT32.dll CertGetCertificateContextProperty, CryptHashPublicKeyInfo msi.dll RPCRT4.dll UuidCreate WININET.dll HttpQueryInfoW, InternetOpenW, InternetCloseHandle, InternetConnectW, InternetReadFile, InternetSetOptionW, HttpOpenRequestW, HttpAddRequestHeadersW, HttpSendRequestW, InternetErrorDlg, InternetCrackUrlW WINTRUST.dll WTHelperGetProvSignerFromChain, CryptCATAdminCalcHashFromFileHandle, WTHelperProvDataFromStateData, WinVerifyTrust VERSION.dll GetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
Version Infos
Description Data LegalCopyright Copyright (c) Commvault. All rights reserved. InternalName setup FileVersion 11.80.140.0 CompanyName Commvault ProductName Commvault ContentStore ProductVersion 11.80.140.0 FileDescription Commvault ContentStore OriginalFilename Setup.exe Translation 0x0409 0x04e4
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Copyright Joe Security LLC 2019 Page 16 of 74 Network Behavior
No network behavior found
Code Manipulations
Statistics
Behavior
• Setup.exe • Setup.exe
Click to jump to process
System Behavior
Analysis Process: Setup.exe PID: 2612 Parent PID: 4808
General
Start time: 04:52:38 Start date: 25/07/2019 Path: C:\Users\user\Desktop\Setup.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Setup.exe' Imagebase: 0xb50000 File size: 17839920 bytes MD5 hash: 9C58BAC65013AF9DB388BCDD3CCA831E Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Setup.exe unknown 64 success or wait 1 B573C5 ReadFile C:\Users\user\Desktop\Setup.exe unknown 24 success or wait 1 B57477 ReadFile
Copyright Joe Security LLC 2019 Page 17 of 74 Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5753D ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5758F ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 1 B5763D ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 3 B5769F ReadFile C:\Users\user\Desktop\Setup.exe unknown 512 success or wait 1 B57792 ReadFile C:\Users\user\Desktop\Setup.exe unknown 36 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 16 success or wait 2 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 256 success or wait 2 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8198 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 77 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 4810 success or wait 77 B7340C ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5EB68 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 76 success or wait 1 B5EBFC ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5EC81 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5EB68 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 76 success or wait 1 B5EBFC ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5EC81 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 8 unknown 1 B5EDB0 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 8 unknown 1 B5EDB0 ReadFile
Analysis Process: Setup.exe PID: 4520 Parent PID: 2612
General
Start time: 04:52:51 Start date: 25/07/2019 Path: C:\Users\user\Desktop\Setup.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Setup.exe' -burn.unelevated BurnPipe.{5B24ECE1-7AA3-4B09-9F16- D2569B9C6335} {31AC7A97-3AA5-40B9-99E2-217A539112EA} 2612 Imagebase: 0xb50000 File size: 17839920 bytes MD5 hash: 9C58BAC65013AF9DB388BCDD3CCA831E Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B815AD CreateDirectoryW f5953d68e8}\.ba1 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 39 B87864 CreateDirectoryW f5953d68e8}\.ba1\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbahost.dll synchronize | non alert | non generic write directory file
Copyright Joe Security LLC 2019 Page 18 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1043\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1043\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1060\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1060\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\AkmToken.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperCore.config synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVUninstaller.exe.config synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc120u.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\Microsoft.Practices.Prism.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcp120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcr120.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\WPF Dialogs.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\de\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\de\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\de\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\de\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\en\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\en\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\es\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Copyright Joe Security LLC 2019 Page 19 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\es\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\es\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\es\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\fr-CA\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\fr-CA\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\it\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\it\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\it\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\it\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ja\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ja\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ja\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ja\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ko\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Copyright Joe Security LLC 2019 Page 20 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ko\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ko\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ko\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\pt\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\pt\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\ru\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ru\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hans\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hans\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hans\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hans\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hant\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hant\InstallCommon.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\zh-Hant\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\zh-Hant\System.Windows.Interactivity.resources.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\ClusterUtils.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVBasicLib.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVBasicLibManaged.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\cvcl.dll synchronize | non alert | non generic write directory file
Copyright Joe Security LLC 2019 Page 21 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\cvcl.dll.sig synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVFocus.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CvManagedLogger.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\CVUninstaller.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallCommon.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallerBA.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\LaunchInstaller.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mfc140u.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperCore.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\msvcp140.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\UpdateNotificationCenter.exe synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\Guid.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.thm synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.png synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1028\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1028\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1029\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1029\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1030\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1030\mbapreq.wxl synchronize | non alert | non generic write directory file
Copyright Joe Security LLC 2019 Page 22 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1031\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1031\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1032\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1032\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1035\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1035\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1036\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1036\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1038\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1038\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1040\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1040\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1041\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1041\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1042\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1042\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1044\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1044\mbapreq.wxl synchronize | non alert | non generic write directory file
Copyright Joe Security LLC 2019 Page 23 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1045\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1045\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1046\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1046\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1049\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1049\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1051\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1051\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1053\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1053\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\1055\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\1055\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\2052\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\2052\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\2070\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\2070\mbapreq.wxl synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read data or list normal directory file | success or wait 1 B87864 CreateDirectoryW f5953d68e8}\.ba1\3082\ directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\3082\mbapreq.wxl synchronize | non alert | non generic write directory file
Copyright Joe Security LLC 2019 Page 24 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\QINetwork.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\QIUtils.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\vcruntime140.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgApp.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgBase.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\XmlManagedMsgInstall.dll synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\WinPackages.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\InstallConfig.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 read attributes | normal synchronous io success or wait 1 B73959 CreateFileW f5953d68e8}\.ba1\BootstrapperApplicationData.xml synchronize | non alert | non generic write directory file C:\Users\user\AppData\Local\Temp\ read data or list normal directory file | object name collision 1 B87864 CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Temp\Commvault_ContentStore_2019 read attributes | normal synchronous io success or wait 1 B81851 CreateFileW 0725045308.log synchronize | non alert | non generic write directory file C:\Users\user read data or list normal directory file | object name collision 1 6CD4A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Roaming read data or list normal directory file | object name collision 1 6CD4A9F6 unknown directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles\Install.log read attributes | none synchronous io success or wait 1 6BBF1E60 CreateFileW synchronize | non alert | non generic write directory file | open no recall C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53- read data or list normal directory file | success or wait 1 6BBFBEFF CreateDirectoryW 08 directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019-07-25 04-53- read attributes | none synchronous io success or wait 1 6BBF1E60 CreateFileW 08\Install.log synchronize | non alert | non generic write directory file | open no recall
Copyright Joe Security LLC 2019 Page 25 of 74 File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16931 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mbahost.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... 4.q.p...p...p....O..i. 00 00 00 00 00 00 00 ...O..|....O...... y...... p... 00 00 00 00 00 00 00 .....N..}....N..q....N..q...p. 00 00 00 00 01 00 00 ..q....N..q...Richp...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 34 e8 71 db 70 89 1f 88 70 89 1f 88 70 89 1f 88 81 4f d0 88 69 89 1f 88 81 4f d2 88 7c 89 1f 88 81 4f d1 88 13 89 1f 88 79 f1 8c 88 7f 89 1f 88 70 89 1e 88 ff 89 1f 88 d2 4e d0 88 7d 89 1f 88 d2 4e d5 88 71 89 1f 88 d2 4e d6 88 71 89 1f 88 70 89 88 88 71 89 1f 88 d2 4e d3 88 71 89 1f 88 52 69 63 68 70 89 1f 88 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2454 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65
Copyright Joe Security LLC 2019 Page 26 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 653 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65
Copyright Joe Security LLC 2019 Page 27 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 753 ef bb bf 3c 3f 78 6d 6c ..... 6e 3d 22 31 2e 30 22
Copyright Joe Security LLC 2019 Page 28 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 22524 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 136 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }A... 00 00 00 00 00 00 00 ...}^...... }_...... }@...... S. 00 00 00 00 00 00 00 ...... Q...... n...... o...... } 00 00 00 18 01 00 00 E...... k.K.....R..... 0e 1f ba 0e 00 b4 09 ..U...... P.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 96 e3 e0 e9 d2 82 8e ba d2 82 8e ba d2 82 8e ba 0f 7d 41 ba d3 82 8e ba 0f 7d 5e ba d3 82 8e ba 0f 7d 5f ba d0 82 8e ba 0f 7d 40 ba c7 82 8e ba 94 d3 53 ba d0 82 8e ba 94 d3 51 ba d8 82 8e ba 94 d3 6e ba df 82 8e ba 94 d3 6f ba de 82 8e ba 0f 7d 45 ba c1 82 8e ba d2 82 8f ba d1 86 8e ba 94 d3 6b ba 4b 83 8e ba 94 d3 52 ba d3 82 8e ba 94 d3 55 ba d3 82 8e ba 94 d3 50 ba d3 82 8e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 21860 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 137 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc120u.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... }I... 00 00 00 00 00 00 00 ...}V...... }W...... }H...... [. 00 00 00 00 00 00 00 ...... Y...... f...... g...... } 00 00 00 10 01 00 00 M...... $.....c.O.....Z..... 0e 1f ba 0e 00 b4 09 ..]...... X.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 92 e3 e8 e9 d6 82 86 ba d6 82 86 ba d6 82 86 ba 0b 7d 49 ba d7 82 86 ba 0b 7d 56 ba d7 82 86 ba 0b 7d 57 ba d4 82 86 ba 0b 7d 48 ba c3 82 86 ba 90 d3 5b ba d4 82 86 ba 90 d3 59 ba dc 82 86 ba 90 d3 66 ba db 82 86 ba 90 d3 67 ba da 82 86 ba 0b 7d 4d ba c5 82 86 ba d6 82 87 ba 24 81 86 ba 90 d3 63 ba 4f 83 86 ba 90 d3 5a ba d7 82 86 ba 90 d3 5d ba d7 82 86 ba 90 d3 58 ba d7 82 86
Copyright Joe Security LLC 2019 Page 29 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28356 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 5 B735D4 WriteFile a711-29f5953d68e8}\.ba1\Microsoft.Practices.Prism.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...=.:O...... 00 00 00 00 00 00 00 .!.....2...... O...... `....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... l....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 3d 99 3a 4f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 32 02 00 00 08 00 00 00 00 00 00 fe 4f 02 00 00 20 00 00 00 60 02 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 02 00 00 02 00 00 90 6c 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6012 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 15 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcp120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... o...+..N+..N+..N.3wN 00 00 00 00 00 00 00 ). 00 00 00 00 00 00 00 .N+..N...Nm.aN(..Nm.cN#.. 00 00 00 00 01 00 00 Nm.]N...Nm.\Ne..Nm.YN- 0e 1f ba 0e 00 b4 09 ..Nm.`N*..Nm. cd 21 b8 01 4c cd 21 gN*..Nm.bN*..NRich+..N.... 54 68 69 73 20 70 72 ...... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 6f ad d2 1d 2b cc bc 4e 2b cc bc 4e 2b cc bc 4e f6 33 77 4e 29 cc bc 4e 2b cc bd 4e f0 cc bc 4e 6d 9d 61 4e 28 cc bc 4e 6d 9d 63 4e 23 cc bc 4e 6d 9d 5d 4e 18 cc bc 4e 6d 9d 5c 4e 65 cc bc 4e 6d 9d 59 4e 2d cc bc 4e 6d 9d 60 4e 2a cc bc 4e 6d 9d 67 4e 2a cc bc 4e 6d 9d 62 4e 2a cc bc 4e 52 69 63 68 2b cc bc 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 30 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 9436 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 31 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcr120.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S9...XlA.XlA.XlA...A. 00 00 00 00 00 00 00 X 00 00 00 00 00 00 00 lA.XmA.XlAQ..A.ZlAQ..Av 00 00 00 e8 00 00 00 XlAQ..A 0e 1f ba 0e 00 b4 09 !XlAQ..A.XlAQ..A.XlAQ..A. cd 21 b8 01 4c cd 21 XlAQ. 54 68 69 73 20 70 72 .A.XlARich.XlA...... PE..L.. 6f 67 72 61 6d 20 63 ..|OR...... " 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 53 39 02 12 17 58 6c 41 17 58 6c 41 17 58 6c 41 ca a7 a7 41 14 58 6c 41 17 58 6d 41 a7 58 6c 41 51 09 8c 41 b9 5a 6c 41 51 09 b3 41 76 58 6c 41 51 09 89 41 21 58 6c 41 51 09 8d 41 af 58 6c 41 51 09 b0 41 16 58 6c 41 51 09 b7 41 16 58 6c 41 51 09 b2 41 16 58 6c 41 52 69 63 68 17 58 6c 41 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e6 7c 4f 52 00 00 00 00 00 00 00 00 e0 00 22 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 21564 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\WPF Dialogs.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L.....pM...... 00 00 00 00 00 00 00 .!...... @.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 17 d1 70 4d 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 a0 00 00 00 06 00 00 00 00 00 00 be bf 00 00 00 20 00 00 00 c0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 01 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 31 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\de\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\de\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....u.K...... 00 00 00 00 00 00 00 .!...... >/...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... I....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 a2 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 3e 2f 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b1 49 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 32 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1084 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\en\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...eu.K...... 00 00 00 00 00 00 00 .!...... /...... @....!;. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 <.....@...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 65 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 ee 2f 00 00 00 20 00 00 00 40 00 00 00 00 21 3b 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 3c 0e 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\es\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 33 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\es\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...Ov.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4f 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 9e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 1f d4 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 34 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....u.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 75 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 be 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 95 f0 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\fr-CA\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 be 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 35 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3132 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\it\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\it\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 15 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 9e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 08 cd 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 36 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ja\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 7168 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ja\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... 0...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c4 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 12 00 00 00 08 00 00 00 00 00 00 1e 30 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b3 c1 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 37 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ko\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ko\System.Win 00 04 00 00 00 ff ff 00 ...... dows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... ~/...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 89 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 7e 2f 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 b4 e2 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 38 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\pt\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1084 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ru\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ec 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 ae 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 39 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hans\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... %...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 1e 25 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hans\Syste 00 04 00 00 00 ff ff 00 ...... m.Windows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...7w.K...... 00 00 00 00 00 00 00 .!...... N...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... /....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 37 77 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 4e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 f8 2f 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 40 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3584 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hant\InstallCommon.resources.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....k.U...... 00 00 00 00 00 00 00 .!...... $...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ed 6b a8 55 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 06 00 00 00 06 00 00 00 00 00 00 be 24 00 00 00 20 00 00 00 40 00 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6656 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\zh-Hant\Syste 00 04 00 00 00 ff ff 00 ...... m.Windows.Interactivity.resources.dll 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....v.K...... 00 00 00 00 00 00 00 .!...... @....@.. 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... c.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 fe 76 fc 4b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 10 00 00 00 08 00 00 00 00 00 00 2e 2e 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 63 ab 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 41 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 9788 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 7 B735D4 WriteFile a711-29f5953d68e8}\.ba1\ClusterUtils.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... |..V...V...V..._e}.Z. 00 00 00 00 00 00 00 ....).T....y..T....y..]....y.. 00 00 00 00 00 00 00 R....y..A....y..R...t}..]...V. 00 00 00 20 01 00 00 ...... y..U....y..W....y..W... 0e 1f ba 0e 00 b4 09 V.y.W....y..W.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 12 7c 80 de 56 1d ee 8d 56 1d ee 8d 56 1d ee 8d 5f 65 7d 8d 5a 1d ee 8d c8 bd 29 8d 54 1d ee 8d 84 79 ed 8c 54 1d ee 8d 84 79 ea 8c 5d 1d ee 8d 84 79 ef 8c 52 1d ee 8d 84 79 eb 8c 41 1d ee 8d bd 79 ef 8c 52 1d ee 8d 74 7d ef 8c 5d 1d ee 8d 56 1d ef 8d f0 1d ee 8d bd 79 eb 8c 55 1d ee 8d bd 79 ee 8c 57 1d ee 8d bd 79 11 8d 57 1d ee 8d 56 1d 79 8d 57 1d ee 8d bd 79 ec 8c 57 1d ee C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 4252 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 63 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVBasicLib.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 (...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... `... 00 00 00 00 00 00 00 ..^q4...... 00 00 00 00 00 00 00 ...... +...... 00 00 00 28 01 00 00 ..A...... +...... +...... 0e 1f ba 0e 00 b4 09 +...... d.... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 84 b0 9d ec c0 d1 f3 bf c0 d1 f3 bf c0 d1 f3 bf c9 a9 60 bf d6 d1 f3 bf 5e 71 34 bf c6 d1 f3 bf 12 b5 f0 be ce d1 f3 bf 12 b5 f7 be cb d1 f3 bf 12 b5 f2 be c4 d1 f3 bf e2 b1 f5 be c2 d1 f3 bf e2 b1 f2 be d2 d1 f3 bf 2b b5 f2 be c7 d1 f3 bf c0 d1 f2 bf 41 d3 f3 bf 12 b5 f6 be e5 d1 f3 bf 2b b5 f6 be 91 d1 f3 bf 2b b5 f3 be c1 d1 f3 bf 2b b5 0c bf c1 d1 f3 bf c0 d1 64 bf c1 d1 f3
Copyright Joe Security LLC 2019 Page 42 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 24828 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVBasicLibManaged.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... S0F.2^..2^..2^..J...2 00 00 00 00 00 00 00 ^.;....2^.4V_..2^..`...2^.4V]. 00 00 00 00 00 00 00 .2^.4V[..2^.4VZ..2^..V_..2^. 00 00 00 10 01 00 00 .2 0e 1f ba 0e 00 b4 09 _..2^..V[..2^..V...2^..2...2^. cd 21 b8 01 4c cd 21 .V\..2^.Rich.2^ 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a2 53 30 46 e6 32 5e 15 e6 32 5e 15 e6 32 5e 15 ef 4a cd 15 e2 32 5e 15 3b cd 95 15 e5 32 5e 15 34 56 5f 14 e2 32 5e 15 f8 60 cd 15 e4 32 5e 15 34 56 5d 14 e7 32 5e 15 34 56 5b 14 f0 32 5e 15 34 56 5a 14 ed 32 5e 15 0d 56 5f 14 e4 32 5e 15 e6 32 5f 15 a4 32 5e 15 0d 56 5b 14 e5 32 5e 15 0d 56 a1 15 e7 32 5e 15 e6 32 c9 15 e7 32 5e 15 0d 56 5c 14 e7 32 5e 15 52 69 63 68 e6 32 5e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3420 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 40 B735D4 WriteFile a711-29f5953d68e8}\.ba1\cvcl.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... AkT./8T./8T./8]..8F. 00 00 00 00 00 00 00 /8...9V./8..,9\./8..*9_./8..+9 00 00 00 00 00 00 00 _./8v..9]./8T..8#./8..,9@./8. 00 00 00 10 01 00 00 . 0e 1f ba 0e 00 b4 09 +9../8..+9A./8../9U./8...8U./ cd 21 b8 01 4c cd 21 8T..8U./8..-9U./ 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 10 f6 41 6b 54 97 2f 38 54 97 2f 38 54 97 2f 38 5d ef bc 38 46 97 2f 38 86 f3 2e 39 56 97 2f 38 86 f3 2c 39 5c 97 2f 38 86 f3 2a 39 5f 97 2f 38 86 f3 2b 39 5f 97 2f 38 76 f7 2e 39 5d 97 2f 38 54 97 2e 38 23 97 2f 38 9f f4 2c 39 40 97 2f 38 9f f4 2b 39 cd 96 2f 38 bf f3 2b 39 41 97 2f 38 bf f3 2f 39 55 97 2f 38 bf f3 d0 38 55 97 2f 38 54 97 b8 38 55 97 2f 38 bf f3 2d 39 55 97 2f
Copyright Joe Security LLC 2019 Page 43 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 360 23 20 53 48 41 2d 31 # SHA-1 RSA EMSA- success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\cvcl.dll.sig 20 52 53 41 20 45 4d PKCS1-v1_5 Signature..# 53 41 2d 50 4b 43 53 http://www.apps.iet 31 2d 76 31 5f 35 20 f.org/rfc/rfc3447.html#sec- 53 69 67 6e 61 74 75 9.2 72 65 0d 0a 23 20 68 ....64a931cf3969cc4f0d8c4 74 74 70 3a 2f 2f 77 16ebc 77 77 2e 61 70 70 73 8576f733dca838425c75f7d 2e 69 65 74 66 2e 6f 7c7379d 72 67 2f 72 66 63 2f 5e55..7723b26ace79a210c 72 66 63 33 34 34 37 1733fe9 2e 68 74 6d 6c 23 73 9d85ecac6a5ca63a54476f 65 63 2d 39 2e 32 0d de99a814 0a 0d 0a 36 34 61 39 7e1aa6..c3e63c84f9090db 33 31 63 66 33 39 36 9cae0b8ec7e64d4ef913ca 39 63 63 34 66 30 64 38 63 34 31 36 65 62 63 38 35 37 36 66 37 33 33 64 63 61 38 33 38 34 32 35 63 37 35 66 37 64 37 63 37 33 37 39 64 35 65 35 35 0d 0a 37 37 32 33 62 32 36 61 63 65 37 39 61 32 31 30 63 31 37 33 33 66 65 39 39 64 38 35 65 63 61 63 36 61 35 63 61 36 33 61 35 34 34 37 36 66 64 65 39 39 61 38 31 34 37 65 31 61 61 36 0d 0a 63 33 65 36 33 63 38 34 66 39 30 39 30 64 62 39 63 61 65 30 62 38 65 63 37 65 36 34 64 34 65 66 39 31 33 63 61 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 22100 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 2 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVFocus.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ;...... v...w. 00 00 00 00 00 00 00 ...?..}.....|.~.....z.p.....{. 00 00 00 00 00 00 00 t.....~.{...].~.x.....~.I..... 00 00 00 18 01 00 00 z.~...... ~...... ~...... ~... 0e 1f ba 0e 00 b4 09 ..}.~...Rich... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 3b fe 11 c3 7f 9f 7f 90 7f 9f 7f 90 7f 9f 7f 90 76 e7 ec 90 77 9f 7f 90 e1 3f b8 90 7d 9f 7f 90 ad fb 7c 91 7e 9f 7f 90 ad fb 7a 91 70 9f 7f 90 ad fb 7b 91 74 9f 7f 90 ad fb 7e 91 7b 9f 7f 90 5d ff 7e 91 78 9f 7f 90 7f 9f 7e 90 49 9f 7f 90 94 fb 7a 91 7e 9f 7f 90 94 fb 7f 91 7e 9f 7f 90 94 fb 80 90 7e 9f 7f 90 7f 9f e8 90 7e 9f 7f 90 94 fb 7d 91 7e 9f 7f 90 52 69 63 68 7f 9f 7f
Copyright Joe Security LLC 2019 Page 44 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28340 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CvManagedLogger.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...... 00 00 00 00 00 00 00 [...... !..0...... 00 00 00 00 00 00 00 ...... ` 00 00 00 00 00 00 00 ...... Uj....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91 fa b1 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 f2 00 00 00 06 00 00 00 00 00 00 da 10 01 00 00 20 00 00 00 20 01 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 02 00 00 55 6a 01 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 23316 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 5 B735D4 WriteFile a711-29f5953d68e8}\.ba1\CVUninstaller.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...}.. 00 00 00 00 00 00 00 [...... 0...... ^...... 00 00 00 00 00 00 00 ..@...... 00 00 00 00 00 00 00 ...... @...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 7d d6 e5 5b 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 96 01 00 00 8c 00 00 00 00 00 00 5e b5 01 00 00 20 00 00 00 c0 01 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 02 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 45 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 14100 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 118 B735D4 WriteFile a711-29f5953d68e8}\.ba1\InstallCommon.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0..@:...... z^:.. ...`:...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 :...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 05 ad 93 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 40 3a 00 00 06 00 00 00 00 00 00 7a 5e 3a 00 00 20 00 00 00 60 3a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 3a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28436 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 21 B735D4 WriteFile a711-29f5953d68e8}\.ba1\InstallerBA.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... 7...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... @...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 13 ad 93 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 18 0a 00 00 06 00 00 00 00 00 00 06 37 0a 00 00 20 00 00 00 40 0a 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 0a 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 46 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 20244 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 7 B735D4 WriteFile a711-29f5953d68e8}\.ba1\LaunchInstaller.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... V...V...V@0SV.. 00 00 00 00 00 00 00 [email protected]@0PV...V&..W 00 00 00 00 00 00 00 ...V&..W 00 00 00 10 01 00 00 ...V&..W...V)SlV...V)SiV...V 0e 1f ba 0e 00 b4 09 .. cd 21 b8 01 4c cd 21 .V|..V...W...V..]V...V..5V...V 54 68 69 73 20 70 72 ...W...VRich... 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 b0 cd cc 05 f4 ac a2 56 f4 ac a2 56 f4 ac a2 56 40 30 53 56 fd ac a2 56 40 30 51 56 8e ac a2 56 40 30 50 56 ec ac a2 56 26 c8 a1 57 e7 ac a2 56 26 c8 a6 57 e6 ac a2 56 26 c8 a7 57 d2 ac a2 56 29 53 6c 56 f5 ac a2 56 29 53 69 56 ff ac a2 56 f4 ac a3 56 7c ac a2 56 1f c8 a7 57 f6 ac a2 56 1f c8 5d 56 f5 ac a2 56 f4 ac 35 56 f5 ac a2 56 1f c8 a0 57 f5 ac a2 56 52 69 63 68 f4 ac a2 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 23924 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 157 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mfc140u.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... 00 00 00 00 00 00 00 {...?...?...?....I-.>....I+.>....I*. 00 00 00 00 00 00 00 (...6.M.+...u... 00 00 00 00 00 00 00 =...u...5...u...2...u...*....I 00 00 00 10 01 00 00 1.,...?...... u...... u...>... 0e 1f ba 0e 00 b4 09 u.!.>...u...>.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7b b4 b0 92 3f d5 de c1 3f d5 de c1 3f d5 de c1 8b 49 2d c1 3e d5 de c1 8b 49 2b c1 3e d5 de c1 8b 49 2a c1 28 d5 de c1 36 ad 4d c1 2b d5 de c1 75 b0 df c0 3d d5 de c1 75 b0 dd c0 35 d5 de c1 75 b0 da c0 32 d5 de c1 75 b0 db c0 2a d5 de c1 8b 49 31 c1 2c d5 de c1 3f d5 df c1 cd d6 de c1 75 b0 d7 c0 a5 d4 de c1 75 b0 de c0 3e d5 de c1 75 b0 21 c1 3e d5 de c1 75 b0 dc c0 3e d5 de
Copyright Joe Security LLC 2019 Page 47 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 13028 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\BootstrapperCore.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L....O.R...... 00 00 00 00 00 00 00 .!...... 00 00 00 00 00 00 00 ...... ` 00 00 00 80 00 00 00 ...... b'....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 c7 4f 97 52 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 00 01 00 00 20 00 00 00 00 00 00 fe 1a 01 00 00 20 00 00 00 20 01 00 00 00 00 10 00 20 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 01 00 00 10 00 00 62 27 02 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 740 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 15 B735D4 WriteFile a711-29f5953d68e8}\.ba1\msvcp140.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... V...... "P... 00 00 00 00 00 00 00 ....,...... X...... X... 00 00 00 00 00 00 00 ....X...... X...... X...e...X. 00 00 00 f8 00 00 00 ...... [email protected]...... Rich.... 0e 1f ba 0e 00 b4 09 ...... PE..L.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 56 df d1 b4 12 be bf e7 12 be bf e7 12 be bf e7 a6 22 50 e7 10 be bf e7 1b c6 2c e7 0a be bf e7 12 be be e7 d3 be bf e7 58 db be e6 11 be bf e7 58 db bc e6 1b be bf e7 58 db bb e6 1e be bf e7 58 db ba e6 04 be bf e7 58 db b7 e6 65 be bf e7 58 db bf e6 13 be bf e7 58 db 40 e7 13 be bf e7 58 db bd e6 13 be bf e7 52 69 63 68 12 be bf e7 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06
Copyright Joe Security LLC 2019 Page 48 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1980 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 10 B735D4 WriteFile a711-29f5953d68e8}\.ba1\UpdateNotificationCenter.exe 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... s.#j..pj..pj..pcjOp~. 00 00 00 00 00 00 00 .p...ph..p...pk..p.v.q`..p.v.q 00 00 00 00 00 00 00 d..p.v.qI..p.v.ql..p...p...pj. 00 00 00 10 01 00 00 .pA..p.v.qR..p.v#pk..pj.Kpk 0e 1f ba 0e 00 b4 09 ..p.v.qk..pRichj.. cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 2e 73 b2 23 6a 12 dc 70 6a 12 dc 70 6a 12 dc 70 63 6a 4f 70 7e 12 dc 70 b7 ed 12 70 68 12 dc 70 b7 ed 0c 70 6b 12 dc 70 b8 76 df 71 60 12 dc 70 b8 76 d8 71 64 12 dc 70 b8 76 d9 71 49 12 dc 70 b8 76 dd 71 6c 12 dc 70 b7 ed 17 70 7f 12 dc 70 6a 12 dd 70 41 10 dc 70 81 76 d9 71 52 12 dc 70 81 76 23 70 6b 12 dc 70 6a 12 4b 70 6b 12 dc 70 81 76 de 71 6b 12 dc 70 52 69 63 68 6a 12 dc C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16924 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 50 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 797 89 50 4e 47 0d 0a 1a .PNG...... IHDR...?...?..... success or wait 1 B735D4 WriteFile a711-29f5953d68e8}\.ba1\mbapreq.png 0a 00 00 00 0d 49 48 W 44 52 00 00 00 3f 00 _...... sRGB...... gAMA...... 00 00 3f 08 06 00 00 a.....pHYs...... +...... IDA 00 57 5f 10 df 00 00 ThC../W.0....P(...Db+q8$... 00 01 73 52 47 42 00 ...... J.....-..8.e]._..;...... ae ce 1c e9 00 00 00 ...Y... .Y....z\...... {W|... 04 67 41 4d 41 00 00 .../q...<%.....C5...0....OrU.. b1 8f 0b fc 61 05 00 ..,..^...... ).....2...... 00 00 09 70 48 59 73 .i.Ge..T9T..}.7 00 00 0e c4 00 00 0e c4 01 95 2b 0e 1b 00 00 02 b2 49 44 41 54 68 43 ed 9b 2f 57 c4 30 0c c0 f7 ed 50 28 14 0e 87 44 62 2b 71 38 24 0a 87 c1 e0 ef 9b 8d cb de cb c8 4a d2 a4 dd b2 b1 2d f7 de 38 b8 65 5d 93 5f fe b5 3b ba fe c4 af ee c4 ba f7 a1 fc 59 e9 07 f9 20 cf 59 a0 eb fa ee 7a 5c 7f ec f6 bd 04 b6 e8 f6 7b 57 7c 98 7f e1 a5 9c dd 2f 71 04 d7 ac 3c 25 0f bf ef e9 18 43 35 c8 f3 16 30 c7 fc 9e a8 4f 72 55 90 0f f2 7f 2c 10 d9 5e 0a 8b c8 f6 d1 e1 cd ab f1 29 a5 1e 8e cb e5 32 1c d2 0b ce a1 ec dc ea b2 69 9d 47 65 a9 a2 54 39 54 f2 2e 7d f6 37 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1795 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 51 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2167 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 52 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 172 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 53 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 3542 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 54 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2448 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 55 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2446 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 56 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2378 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 57 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2510 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 58 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2454 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 59 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2274 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 60 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2122 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 61 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 2542 3c 3f 78 6d 6c 20 76 .. .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 62 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 16020 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 85 B735D4 WriteFile a711-29f5953d68e8}\.ba1\QIUtils.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... @9...j...j...j...j.. 00 00 00 00 00 00 00 .jy..j...j5.-k...j5.*k...j5./k 00 00 00 00 00 00 00 ...j5.+k...j..(k...j../k...j.. 00 00 00 20 01 00 00 /j...j..*k...j..+k9..j...k...j 0e 1f ba 0e 00 b4 09 ...j...j...j... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a3 c8 40 39 e7 a9 2e 6a e7 a9 2e 6a e7 a9 2e 6a ee d1 bd 6a f3 a9 2e 6a 79 09 e9 6a ef a9 2e 6a 35 cd 2d 6b e8 a9 2e 6a 35 cd 2a 6b eb a9 2e 6a 35 cd 2f 6b e3 a9 2e 6a 35 cd 2b 6b c5 a9 2e 6a c5 c9 28 6b e0 a9 2e 6a c5 c9 2f 6b fa a9 2e 6a e7 a9 2f 6a bb ab 2e 6a 0c cd 2a 6b e6 a9 2e 6a 0c cd 2b 6b 39 a9 2e 6a 0c cd 2e 6b e6 a9 2e 6a 0c cd d1 6a e6 a9 2e 6a e7 a9 b9 6a e6 a9 2e C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 28388 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 3 B735D4 WriteFile a711-29f5953d68e8}\.ba1\vcruntime140.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... ~..6:..e:..e:..e.!+e8. 00 00 00 00 00 00 00 .e3.We1..e:..e...ep..d*..ep.. 00 00 00 00 00 00 00 d 00 00 00 f8 00 00 00 )..ep..d>..ep..d#..ep..d;..ep. 0e 1f ba 0e 00 b4 09 ;e;..ep..d;..eRich:..e...... cd 21 b8 01 4c cd 21 ...... PE..L.. 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7e dc aa 36 3a bd c4 65 3a bd c4 65 3a bd c4 65 8e 21 2b 65 38 bd c4 65 33 c5 57 65 31 bd c4 65 3a bd c5 65 10 bd c4 65 70 d8 c0 64 2a bd c4 65 70 d8 c7 64 29 bd c4 65 70 d8 c1 64 3e bd c4 65 70 d8 cc 64 23 bd c4 65 70 d8 c4 64 3b bd c4 65 70 d8 3b 65 3b bd c4 65 70 d8 c6 64 3b bd c4 65 52 69 63 68 3a bd c4 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 Copyright Joe Security LLC 2019 Page 63 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 6572 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 319 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgApp.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... &...... 00 00 00 00 00 00 00 ...... @ 00 00 00 80 00 00 00 ...... =.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 91 1e 80 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 c4 9e 00 00 06 00 00 00 00 00 00 26 e2 9e 00 00 20 00 00 00 00 9f 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 9f 00 00 02 00 00 3d db 9e 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 19884 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 43 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgBase.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... PE..L...... \...... 00 00 00 00 00 00 00 .!..0...... +...... @...... 00 00 00 00 00 00 00 ...... 00 00 00 80 00 00 00 ...... 4.....@...... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 95 1e 80 5c 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 0c 15 00 00 06 00 00 00 00 00 00 b2 2b 15 00 00 20 00 00 00 40 15 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 15 00 00 02 00 00 34 a2 15 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 Copyright Joe Security LLC 2019 Page 64 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 14764 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 17 B735D4 WriteFile a711-29f5953d68e8}\.ba1\XmlManagedMsgInstall.dll 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... PE..L...... 00 00 00 00 00 00 00 [...... !..0..*...... zH... 00 00 00 00 00 00 00 ...`...... 00 00 00 00 00 00 00 ...... n....@...... 00 00 00 80 00 00 00 ...... 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 d7 b7 a5 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 30 00 00 2a 08 00 00 06 00 00 00 00 00 00 7a 48 08 00 00 20 00 00 00 60 08 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 02 00 00 ae 6e 08 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 1964 3c 3f 78 6d 6c 20 76 .. 22 31 2e 30 22 20 65 Copyright Joe Security LLC 2019 Page 65 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da- unknown 29281 3c 49 6e 73 74 61 6c Copyright Joe Security LLC 2019 Page 66 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 485 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:52:51]i001: Burn 31 39 2d 30 37 2d 32 v3.8.1128.0, Windows v6.3 35 54 30 34 3a 35 32 (Build 9600: Service Pack 3a 35 31 5d 69 30 30 0), path: C:\Users\user\D 31 3a 20 42 75 72 6e esktop\Setup.exe, cmdline: 20 76 33 2e 38 2e 31 '-burn.unelevated 31 32 38 2e 30 2c 20 BurnPipe.{5B24ECE1- 57 69 6e 64 6f 77 73 7AA3-4B09-9F16- 20 76 36 2e 33 20 28 D2569B9C6335} 42 75 69 6c 64 20 39 {31AC7A97-3AA5-40B9- 36 30 30 3a 20 53 65 99E2-217A539112EA} 26 72 76 69 63 65 20 50 61 63 6b 20 30 29 2c 20 70 61 74 68 3a 20 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 53 65 74 75 70 2e 65 78 65 2c 20 63 6d 64 6c 69 6e 65 3a 20 27 2d 62 75 72 6e 2e 75 6e 65 6c 65 76 61 74 65 64 20 42 75 72 6e 50 69 70 65 2e 7b 35 42 32 34 45 43 45 31 2d 37 41 41 33 2d 34 42 30 39 2d 39 46 31 36 2d 44 32 35 36 39 42 39 43 36 33 33 35 7d 20 7b 33 31 41 43 37 41 39 37 2d 33 41 41 35 2d 34 30 42 39 2d 39 39 45 32 2d 32 31 37 41 35 33 39 31 31 32 45 41 7d 20 32 36 C:\Users\user\AppData\Local\Te unknown 165 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleLog' to value 3a 30 38 5d 69 30 30 'C:\ 30 3a 20 53 65 74 74 Users\user\AppData\Local\ 69 6e 67 20 73 74 72 Temp\ 69 6e 67 20 76 61 72 Commvault_ContentStore_ 69 61 62 6c 65 20 27 20190725045308.log'.. 57 69 78 42 75 6e 64 6c 65 4c 6f 67 27 20 74 6f 20 76 61 6c 75 65 20 27 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 43 6f 6d 6d 76 61 75 6c 74 5f 43 6f 6e 74 65 6e 74 53 74 6f 72 65 5f 32 30 31 39 30 37 32 35 30 34 35 33 30 38 2e 6c 6f 67 27 0d 0a C:\Users\user\AppData\Local\Te unknown 133 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleOriginalSource' 3a 30 38 5d 69 30 30 to value 30 3a 20 53 65 74 74 'C:\Users\user\Desktop\ 69 6e 67 20 73 74 72 Setup.exe'.. 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 57 69 78 42 75 6e 64 6c 65 4f 72 69 67 69 6e 61 6c 53 6f 75 72 63 65 27 20 74 6f 20 76 61 6c 75 65 20 27 43 3a 5c 55 73 65 72 73 5c 47 75 63 63 69 5c 44 65 73 6b 74 6f 70 5c 53 65 74 75 70 2e 65 78 65 27 0d 0a Copyright Joe Security LLC 2019 Page 67 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Te unknown 113 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'WixBundleName' to value 3a 30 38 5d 69 30 30 'Commvault 30 3a 20 53 65 74 74 ContentStore'.. 69 6e 67 20 73 74 72 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 57 69 78 42 75 6e 64 6c 65 4e 61 6d 65 27 20 74 6f 20 76 61 6c 75 65 20 27 43 6f 6d 6d 76 61 75 6c 74 20 43 6f 6e 74 65 6e 74 53 74 6f 72 65 27 0d 0a C:\Users\user\AppData\Local\Te unknown 81 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: Loading 31 39 2d 30 37 2d 32 managed bootstrapper 35 54 30 34 3a 35 33 application... 3a 30 38 5d 69 30 30 30 3a 20 4c 6f 61 64 69 6e 67 20 6d 61 6e 61 67 65 64 20 62 6f 6f 74 73 74 72 61 70 70 65 72 20 61 70 70 6c 69 63 61 74 69 6f 6e 2e 0d 0a C:\Users\user\AppData\Local\Te unknown 81 5b 31 31 41 38 3a 30 [11A8:09C8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 39 43 38 5d 5b 32 30 25T04:53:08]i000: 31 39 2d 30 37 2d 32 Creating BA thread to run 35 54 30 34 3a 35 33 asynchronously... 3a 30 38 5d 69 30 30 30 3a 20 43 72 65 61 74 69 6e 67 20 42 41 20 74 68 72 65 61 64 20 74 6f 20 72 75 6e 20 61 73 79 6e 63 68 72 6f 6e 6f 75 73 6c 79 2e 0d 0a C:\ProgramData\Commvault Syste unknown 58 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Culture name is 35 33 3a 30 38 09 43 identified as: en-US.. 75 6c 74 75 72 65 20 6e 61 6d 65 20 69 73 20 69 64 65 6e 74 69 66 69 65 64 20 61 73 3a 20 65 6e 2d 55 53 0d 0a C:\ProgramData\Commvault Syste unknown 57 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Application 35 33 3a 30 38 09 41 Culture is set to en-US.. 70 70 6c 69 63 61 74 69 6f 6e 20 43 75 6c 74 75 72 65 20 69 73 20 73 65 74 20 74 6f 20 65 6e 2d 55 53 0d 0a C:\ProgramData\Commvault Syste unknown 94 30 37 2f 32 35 2f 32 07/25/2019 success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a 04:53:08.Loading the 35 33 3a 30 38 09 4c ResourceFile 6f 61 64 69 6e 67 20 InstallCommon.R 74 68 65 20 52 65 73 esources.InstallLocale.res 6f 75 72 63 65 46 69 ources.. 6c 65 20 49 6e 73 74 61 6c 6c 43 6f 6d 6d 6f 6e 2e 52 65 73 6f 75 72 63 65 73 2e 49 6e 73 74 61 6c 6c 4c 6f 63 61 6c 65 2e 72 65 73 6f 75 72 63 65 73 0d 0a Copyright Joe Security LLC 2019 Page 68 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Commvault Syste unknown 90 30 37 2f 32 35 2f 32 07/25/2019 04:53:08.The success or wait 1 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 30 31 39 20 30 34 3a setup is launched by user- 35 33 3a 30 38 09 54 PC\user with Administrator 68 65 20 73 65 74 75 privilege.. 70 20 69 73 20 6c 61 75 6e 63 68 65 64 20 62 79 20 47 55 43 43 49 2d 50 43 5c 47 75 63 63 69 20 77 69 74 68 20 41 64 6d 69 6e 69 73 74 72 61 74 6f 72 20 70 72 69 76 69 6c 65 67 65 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 72 ef bb bf 2a 2a 2a 2a ...*************************** success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 2a 2a 2a 2a 2a 2a 2a ****************************** 2a 2a 2a 2a 2a 2a 2a **********.. 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 28 20 20 4d 61 63 68 69 Machine .: 302494.. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 6e 65 20 20 20 20 20 20 20 20 09 3a 20 33 30 32 34 39 34 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 33 20 20 4d 6f 64 75 6c Module .: Install.lo success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 65 20 20 20 20 20 20 g.. 20 20 20 09 3a 20 49 6e 73 74 61 6c 6c 2e 6c 6f 67 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 22 20 20 43 6f 6d 6d 73 Commserver .: .. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 65 72 76 65 72 20 20 20 20 20 09 3a 20 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 33 20 20 50 72 6f 64 75 Product Version.: success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 63 74 20 56 65 72 73 11.80.140.0.. 69 6f 6e 09 3a 20 31 31 2e 38 30 2e 31 34 30 2e 30 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 53 20 20 4f 53 20 56 65 OS Version .: success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 72 73 69 6f 6e 20 20 Microsoft Windows NT 20 20 20 09 3a 20 4d 6.3.9600.0.. 69 63 72 6f 73 6f 66 74 20 57 69 6e 64 6f 77 73 20 4e 54 20 36 2e 33 2e 39 36 30 30 2e 30 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 31 20 20 44 61 74 65 20 Date .: 7/25/2019.. success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 20 20 20 20 20 20 20 20 20 20 09 3a 20 37 2f 32 35 2f 32 30 31 39 0d 0a C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 69 2a 2a 2a 2a 2a 2a 2a ****************************** success or wait 1 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 2a 2a 2a 2a 2a 2a 2a ****************************** 2a 2a 2a 2a 2a 2a 2a *******.. 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a Copyright Joe Security LLC 2019 Page 69 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\ProgramData\Commvault Systems\Galaxy\LogFiles\2019- unknown 242 34 35 32 30 20 20 34 4520 4 07/25 04:53:09 success or wait 3 6BBF1B4F WriteFile 07-25 04-53-08\Install.log 20 20 20 20 20 30 37 ### 2f 32 35 20 30 34 3a ManagedLogger::SetCLRT 35 33 3a 30 39 20 23 hreadPoolMaxThreads - 23 23 20 20 4d 61 6e CLR ThreadPool's max 61 67 65 64 4c 6f 67 threads is already set by 67 65 72 3a 3a 53 65 another thread in the proce 74 43 4c 52 54 68 72 ss. maxWorkerThreads = 65 61 64 50 6f 6f 6c [1000], maxIOThreads = 4d 61 78 54 68 72 65 [1000], PID = [4520], 61 64 73 20 2d 20 43 ProcessName = [Setup]... 4c 52 20 54 68 72 65 61 64 50 6f 6f 6c 27 73 20 6d 61 78 20 74 68 72 65 61 64 73 20 69 73 20 61 6c 72 65 61 64 79 20 73 65 74 20 62 79 20 61 6e 6f 74 68 65 72 20 74 68 72 65 61 64 20 69 6e 20 74 68 65 20 70 72 6f 63 65 73 73 2e 20 6d 61 78 57 6f 72 6b 65 72 54 68 72 65 61 64 73 20 3d 20 5b 31 30 30 30 5d 2c 20 6d 61 78 49 4f 54 68 72 65 61 64 73 20 3d 20 5b 31 30 30 30 5d 2c 20 50 49 44 20 3d 20 5b 34 35 32 30 5d 2c 20 50 72 6f 63 65 73 73 4e 61 6d 65 20 3d 20 5b 53 65 74 75 70 5d 2e 0d 0a C:\Users\user\AppData\Local\Te unknown 91 5b 31 31 41 38 3a 31 [11A8:10B8][2019-07- success or wait 1 B80FBA WriteFile mp\Commvault_ContentStore_20190725045308.log 30 42 38 5d 5b 32 30 25T04:53:09]i000: Setting 31 39 2d 30 37 2d 32 string variable 35 54 30 34 3a 35 33 'InstallFolder' to value ''.. 3a 30 39 5d 69 30 30 30 3a 20 53 65 74 74 69 6e 67 20 73 74 72 69 6e 67 20 76 61 72 69 61 62 6c 65 20 27 49 6e 73 74 61 6c 6c 46 6f 6c 64 65 72 27 20 74 6f 20 76 61 6c 75 65 20 27 27 0d 0a C:\ProgramData\Commvault Syste unknown 853 34 35 32 30 20 20 34 4520 4 07/25 04:53:09 success or wait 3 6BBF1B4F WriteFile ms\Galaxy\LogFiles\Install.log 20 20 20 20 20 30 37 ### ### ### - Instance log 2f 32 35 20 30 34 3a path: 35 33 3a 30 39 20 23 C:\ProgramData\Commvau 23 23 20 23 23 23 20 lt Syste 23 23 23 20 2d 20 49 ms\Galaxy\LogFiles\2019- 6e 73 74 61 6e 63 65 07-25 04-53-08..4520 4 20 6c 6f 67 20 70 61 07/25 04:53:09 ### ### 74 68 3a 20 43 3a 5c ### - ######### 50 72 6f 67 72 61 6d ###################### 44 61 74 61 5c 43 6f ######## 6d 6d 76 61 75 6c 74 ###################### 20 53 79 73 74 65 6d #############..4520 4 73 5c 47 61 6c 61 78 79 5c 4c 6f 67 46 69 6c 65 73 5c 32 30 31 39 2d 30 37 2d 32 35 20 30 34 2d 35 33 2d 30 38 0d 0a 34 35 32 30 20 20 34 20 20 20 20 20 30 37 2f 32 35 20 30 34 3a 35 33 3a 30 39 20 23 23 23 20 23 23 23 20 23 23 23 20 2d 20 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 23 0d 0a 34 35 32 30 20 20 34 20 Copyright Joe Security LLC 2019 Page 70 of 74 File Read Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Setup.exe unknown 64 success or wait 1 B573C5 ReadFile C:\Users\user\Desktop\Setup.exe unknown 24 success or wait 1 B57477 ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5753D ReadFile C:\Users\user\Desktop\Setup.exe unknown 4 success or wait 1 B5758F ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 1 B5763D ReadFile C:\Users\user\Desktop\Setup.exe unknown 40 success or wait 3 B5769F ReadFile C:\Users\user\Desktop\Setup.exe unknown 512 success or wait 1 B57792 ReadFile C:\Users\user\Desktop\Setup.exe unknown 36 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 16 success or wait 83 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 256 success or wait 83 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8198 success or wait 1 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 8 success or wait 1426 B7340C ReadFile C:\Users\user\Desktop\Setup.exe unknown 4810 success or wait 1426 B7340C ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335} unknown 4 success or wait 1 B5FB24 ReadFile \BurnPipe.{5B24ECE1-7AA3-4B09-9F16-D2569B9C6335}.Cache unknown 4 success or wait 1 B5FB24 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCF3625 unknown C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e73 unknown 176 success or wait 1 6CC5EE1E ReadFile 64da399b604ae01baff696551080\mscorlib.ni.dll.aux C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCFA974 ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCFA974 ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 1 6CCFA974 ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCFA974 ReadFile C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Config unknown 864 success or wait 1 6CC5EE1E ReadFile uration\d88a90d2c98cca1a9d491dfeb73352be\System.Configuration.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System\84b917 unknown 620 success or wait 1 6CC5EE1E ReadFile 1c43be8428a7ceaf253e5d7738\System.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\2 unknown 900 success or wait 1 6CC5EE1E ReadFile da4cf2bb9a8f8a554da96d83ee20d39\System.Core.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\4d unknown 748 success or wait 1 6CC5EE1E ReadFile 91b386e64bacbfdf3b2db16155386b\System.Xml.ni.dll.aux C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4095 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 6135 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4097 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4098 success or wait 2 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 7976 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4121 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4253 success or wait 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 8171 end of file 1 6CCF3625 unknown C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 1 6BBF1B4F ReadFile C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 success or wait 2 6BBF1B4F ReadFile Copyright Joe Security LLC 2019 Page 71 of 74 Source File Path Offset Length Completion Count Address Symbol C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config unknown 4096 end of file 1 6BBF1B4F ReadFile C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 end of file 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4096 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationC unknown 1832 success or wait 1 6CC5EE1E ReadFile ore\74e4951d24e78d60061b6f9f8d6f49f4\PresentationCore.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\7 unknown 1348 success or wait 1 6CC5EE1E ReadFile ede7502bdd935f2e31c32146e8206cf\WindowsBase.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5a unknown 2436 success or wait 1 6CC5EE1E ReadFile e0f00f#\b8254ec01c31459d7f6f66e4d6a670a5\PresentationFramework.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xaml\9 unknown 572 success or wait 1 6CC5EE1E ReadFile 5f7be3abae719343f354f3adc883704\System.Xaml.ni.dll.aux C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Li unknown 872 success or wait 1 6CC5EE1E ReadFile nq\1594c760f82b90d7a02dabb19e0b45a2\System.Xml.Linq.ni.dll.aux C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 2 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 success or wait 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8192 end of file 1 6BBF1B4F ReadFile f5953d68e8}\.ba1\WinPackages.xml C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 4095 success or wait 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Users\user\AppData\Local\Temp\{1d96cbc4-3dc0-45da-a711-29 unknown 8173 end of file 1 6CCF3625 unknown f5953d68e8}\.ba1\BootstrapperCore.config C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatioae unknown 1252 success or wait 1 6CC5EE1E ReadFile c034ca#\1ac2c381a4249b9c7baebb4c38cc6853\PresentationFramework.Aero2.ni.dll.aux Registry Activities Key Created Source Key Path Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Data success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\GalaxyRemoteInstall success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\GalaxyRemoteInstall\Results success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Steps success or wait 1 6BBF5F3C RegCreateKeyExW HKEY_LOCAL_MACHINE\SOFTWARE\CommVault Systems\Galaxy\Installer\Steps success or wait 1 6BBF5F3C RegCreateKeyExW Key Value Created Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Co szDefaultLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\ HKEY_LOCAL_MACHINE\SOFTWARE\Co tempInstallLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\2019-07-25 04- 53-08 HKEY_LOCAL_MACHINE\SOFTWARE\Co szLogDir unicode C:\ProgramData\Commvault Syste success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data ms\Galaxy\LogFiles\2019-07-25 04- 53-08 HKEY_LOCAL_MACHINE\SOFTWARE\Co InstallInstance unicode Instance001 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data Copyright Joe Security LLC 2019 Page 72 of 74 Source Key Path Name Type Data Completion Count Address Symbol HKEY_LOCAL_MACHINE\SOFTWARE\Co szSourceDir unicode C:\Users\user\Desktop success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bBootStrapMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szInstallerName unicode Setup.exe success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szAssemblyDirectory unicode C:\Users\user\AppData\Local\Temp\ success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data {1d96cbc4-3dc0-45da-a711-29 f5953d68e8}\.ba1\ HKEY_LOCAL_MACHINE\SOFTWARE\Ga nInstallExitCode dword 1001 success or wait 1 6BBFC075 RegSetValueExW laxyRemoteInstall\Results HKEY_LOCAL_MACHINE\SOFTWARE\Ga nInstallJMStatus dword 0 success or wait 1 6BBFC075 RegSetValueExW laxyRemoteInstall\Results HKEY_LOCAL_MACHINE\SOFTWARE\Co nProcessor dword 3 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeTitanium dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchange2K3 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE12 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE14 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE15 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bExchangeE16 dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bLotusDomino50Installed dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bLotusDomino60Installed dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co ProductVersion unicode 11.80.140.0 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co szWixBundleProviderKey unicode {1d96cbc4-3dc0-45da-a711-29f59 success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Data 53d68e8} HKEY_LOCAL_MACHINE\SOFTWARE\Co CompletionDialog unicode Incomplete success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Steps HKEY_LOCAL_MACHINE\SOFTWARE\Co bPlayMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bForceReboot dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bSilentInstallMode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bCleanUpAndStartOverM dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data ode HKEY_LOCAL_MACHINE\SOFTWARE\Co nJobId dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDownloadUnixPackages dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDownloadPackages dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bPatchingPassiveNode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bDoNotPatchDB dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bNoStartSvc dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bInstallThirdPartiesOnly dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bSetProgressReg dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bInstalltypeNewinstall dword 1 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co bStandbyNode dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co nPlanId dword 0 success or wait 1 6BBFC075 RegSetValueExW mmVault Systems\Galaxy\Installer\Data HKEY_LOCAL_MACHINE\SOFTWARE\Co LanguageSelectionViewM unicode Incomplete success or wait 1 6BBF646A RegSetValueExW mmVault Systems\Galaxy\Installer\Steps odel Copyright Joe Security LLC 2019 Page 73 of 74 Disassembly Code Analysis Copyright Joe Security LLC 2019 Page 74 of 74